Re: [webmin-l] PCI Compliance Issues

[Andrew R. <an...@db...>]

You wouldn't need to point Webmin to 1.0.1, you'd need to make sure that
perl compiled the Net::SSLeay module using the openssl-1.0.1c libs instead
of the system 0.9.8e libs. Here's the steps I use:

 

1.       Download openssl-1.0.1c

2.       Unpack to /tmp

3.       Cd to /tmp/openssl-1.0.1c

4.       Use "./config -shared --prefix=/usr" to configure it with shared
libs and headers

5.       Make it

6.       Make test it

7.       Make install it

8.       Using cpan, first install Bundle::CPAN to make sure you have latest
version of those components

9.       Then, after that "upgrade" is finished, use cpan to install
Net::SSLeay by typing at the cpan prompt: "install Net::SSLeay"

10.   Make sure to have it run the external tests. IT should show that it
found openssl 1.0.1c and some warning about using the same compiler.

Thanks,

Andrew Reis

DBMS Inc.

 

From: Fajar Priyanto [mailto:faj...@ar...] 
Sent: Friday, January 25, 2013 1:10 AM
To: Webmin users list
Subject: Re: [webmin-l] PCI Compliance Issues

 

Hi Jamie,

Any specific reason why we need openssl 1.0.1 for webmin? (beside the
security fixes, performance, etc :))

Because currently Centos 5 has only openssl 0.9.8, and when I google how to
get 1.0.1 for it, it shows
https://www.axivo.com/community/threads/upgrade-to-openssl-1-0-1-in-centos.1
80/ , but it only for 64bit. Mine is 32bit Centos :(

 

I think I may be able to build the webmin from source and point it to
openssl 1.0.1 libs, but if there is easier way, I'd prefer that :)

Thank you.

 

On Sun, Jan 20, 2013 at 2:58 AM, Jamie Cameron <jca...@we...> wrote:

You may want to try downloading the latest development version
of Webmin from http://www.webmin.com/devel.html - it contains a new
option at Webmin -> Webmin Configuration -> SSL Encryption to disable
SSL compression, which is required by this exploit. It requires that
your system have at least OpenSSL version 1.0.1 though.

On 19/Jan/2013 09:47 Andrew S Reis <an...@db...> wrote ..

>
>
> Hello,
>
>
>
> One of our customers reported that they failed their PCI Compliance scan.
> Here is the excerpt from the PCI Results that failed:
>
>
>
> Vulnerability:
>
>
>
> BEAST (Browser Exploit Against SSL/TLS) Vulnerability
>
> The SSL protocol encrypts data by using CBC mode with chained
>
> initialization vectors. This allows an attacker, which is has gotten
>
> access to an HTTPS session via man-in-the-middle (MITM) attacks or
>
> other means, to obtain plain text HTTP headers via a block wise
>
> chosen-boundary attack (BCBA) in conjunction with JavaScript code
>
> that uses the HTML5 Web Socket API, the Java URLConnection API,
>
> or the Silverlight Web Client API. This vulnerability is more commonly
>
> referred to as Browser Exploit Against SSL/TLS or "BEAST".
>
> CVE: CVE-2011-3389
>
> NVD: CVE-2011-3389
>
> Bugtraq: 49778
>
> CVSSv2: AV:N/AC:M/Au:N/C:P/I:N/A:N(4.30)
>
> Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=665814,
>
> http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslciphersuite,
>
> http://technet.microsoft.com/en-us/security/bulletin/ms12-006
>
> Service: http
>
>
>
> Remediation:
>
>
>
> Affected users should disable all block-based cipher
>
> suites in the server's SSL configuration and only support
>
> RC4 ciphers, which are not vulnerable to fully address
>
> this vulnerability. This vulnerability was addressed in
>
> TLS version 1.1/1.2, however, support for these newer
>
> TLS versions is not widely supported at the time of this
>
> writing, making it difficult to disable earlier versions.
>
> Additionally, affected users can also configure SSL to
>
> prefer RC4 ciphers over block-based ciphers to limit, but
>
> not eliminate, exposure. Affected users that implement
>
> prioritization techniques for mitigation as described
>
> above should appeal this vulnerability and include
>
> details of the SSL configuration.
>
>
>
> I have tried a few different fixes, along with bulleting "Use Only
> PCI-Compliant Ciphers", but they error is still thrown. When I connect
with
> Google Chrome, it shows the following for encryption:
>
>
>
> Your connection to <IP Address> is encrypted with 256-bit encryption.
>
> The Connection uses TLS 1.1.
>
> The connection is encrypted using CAMELLIA_256_CBC with SHA1 for message
> authentication and RSA as the key exchange mechanism.
>
> The connection does not use SSL compression.
>
>
>
> I currently have the following string in the SSL encryption module:
>
>
>
> RC4-SHA:HIGH:!ADH:!LOW:!MEDIUM:!SSLv2
>
>
>
> This machine has OpenSSL 1.0.1c compiled and installed and used by Webmin.
>
>
>
> Any Ideas?
>
>
>
> Thanks,
>
>
>
> Andrew Reis | MCTS, Network+
>
> Microsoft Windows/Networking Support
>
> Webmaster
>
> DBMS Inc.
>
>
>
> Andrew Reis | MCTS, Network+
>
> Microsoft Windows/Networking Support
>
> Webmaster
>
> DBMS Inc.
>
> Toll-Free: (888) 862-0662 ext. 307
>
> Direct: (318) 219-5034
>
> Email: an...@db...
>

> Web: http://www.dbmsinc.com <http://www.dbmsinc.com/>

>
> Be sure to follow us on Facebook

> <https://www.facebook.com/pages/DBMS-Inc/222425227776586?fref=ts>  and
> Twitter
>
>

----------------------------------------------------------------------------
--
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912
-
Forwarded by the Webmin mailing list at web...@li...
To remove yourself from this list, go to
http://lists.sourceforge.net/lists/listinfo/webadmin-list





 

-- 
To dream and to write ^^
http://mars.arinet.org